Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Data Structures | Macros | Functions | Variables
smack.h File Reference
#include <linux/capability.h>
#include <linux/spinlock.h>
#include <linux/security.h>
#include <linux/in.h>
#include <net/netlabel.h>
#include <linux/list.h>
#include <linux/rculist.h>
#include <linux/lsm_audit.h>

Go to the source code of this file.

Data Structures

struct  superblock_smack
 
struct  socket_smack
 
struct  inode_smack
 
struct  task_smack
 
struct  smack_rule
 
struct  smk_netlbladdr
 
struct  smack_known
 
struct  smack_audit_data
 
struct  smk_audit_info
 

Macros

#define SMK_LABELLEN   24
 
#define SMK_LONGLABEL   256
 
#define SMK_CIPSOLEN   24
 
#define SMK_INODE_INSTANT   0x01 /* inode is instantiated */
 
#define SMK_INODE_TRANSMUTE   0x02 /* directory is transmuting */
 
#define SMK_INODE_CHANGED   0x04 /* smack was transmuted */
 
#define SMK_FSDEFAULT   "smackfsdef="
 
#define SMK_FSFLOOR   "smackfsfloor="
 
#define SMK_FSHAT   "smackfshat="
 
#define SMK_FSROOT   "smackfsroot="
 
#define SMACK_CIPSO_OPTION   "-CIPSO"
 
#define SMACK_UNLABELED_SOCKET   0
 
#define SMACK_CIPSO_SOCKET   1
 
#define SMACK_MAGIC   0x43415d53 /* "SMAC" */
 
#define SMACK_CIPSO_DOI_DEFAULT   3 /* Historical */
 
#define SMACK_CIPSO_DOI_INVALID   -1 /* Not a DOI */
 
#define SMACK_CIPSO_DIRECT_DEFAULT   250 /* Arbitrary */
 
#define SMACK_CIPSO_MAPPED_DEFAULT   251 /* Also arbitrary */
 
#define SMACK_CIPSO_MAXCATVAL   63 /* Bigger gets harder */
 
#define SMACK_CIPSO_MAXLEVEL   255 /* CIPSO 2.2 standard */
 
#define SMACK_CIPSO_MAXCATNUM   239 /* CIPSO 2.2 standard */
 
#define MAY_TRANSMUTE   64
 
#define MAY_ANYREAD   (MAY_READ | MAY_EXEC)
 
#define MAY_READWRITE   (MAY_READ | MAY_WRITE)
 
#define MAY_NOT   0
 
#define SMK_NUM_ACCESS_TYPE   5
 
#define SMACK_AUDIT_DENIED   0x1
 
#define SMACK_AUDIT_ACCEPT   0x2
 

Functions

struct inode_smacknew_inode_smack (char *)
 
int smk_access_entry (char *, char *, struct list_head *)
 
int smk_access (char *, char *, int, struct smk_audit_info *)
 
int smk_curacc (char *, u32, struct smk_audit_info *)
 
charsmack_from_secid (const u32)
 
charsmk_parse_smack (const char *string, int len)
 
int smk_netlbl_mls (int, char *, struct netlbl_lsm_secattr *, int)
 
charsmk_import (const char *, int)
 
struct smack_knownsmk_import_entry (const char *, int)
 
struct smack_knownsmk_find_entry (const char *)
 
u32 smack_to_secid (const char *)
 
void smack_log (char *subject_label, char *object_label, int request, int result, struct smk_audit_info *auditdata)
 

Variables

int smack_cipso_direct
 
int smack_cipso_mapped
 
charsmack_net_ambient
 
charsmack_onlycap
 
const charsmack_cipso_option
 
struct smack_known smack_known_floor
 
struct smack_known smack_known_hat
 
struct smack_known smack_known_huh
 
struct smack_known smack_known_invalid
 
struct smack_known smack_known_star
 
struct smack_known smack_known_web
 
struct mutex smack_known_lock
 
struct list_head smack_known_list
 
struct list_head smk_netlbladdr_list
 
struct security_operations smack_ops
 
int log_policy
 

Macro Definition Documentation

#define MAY_ANYREAD   (MAY_READ | MAY_EXEC)

Definition at line 174 of file smack.h.

#define MAY_NOT   0

Definition at line 176 of file smack.h.

#define MAY_READWRITE   (MAY_READ | MAY_WRITE)

Definition at line 175 of file smack.h.

#define MAY_TRANSMUTE   64

Definition at line 170 of file smack.h.

#define SMACK_AUDIT_ACCEPT   0x2

Definition at line 302 of file smack.h.

#define SMACK_AUDIT_DENIED   0x1

Definition at line 301 of file smack.h.

#define SMACK_CIPSO_DIRECT_DEFAULT   250 /* Arbitrary */

Definition at line 161 of file smack.h.

#define SMACK_CIPSO_DOI_DEFAULT   3 /* Historical */

Definition at line 159 of file smack.h.

#define SMACK_CIPSO_DOI_INVALID   -1 /* Not a DOI */

Definition at line 160 of file smack.h.

#define SMACK_CIPSO_MAPPED_DEFAULT   251 /* Also arbitrary */

Definition at line 162 of file smack.h.

#define SMACK_CIPSO_MAXCATNUM   239 /* CIPSO 2.2 standard */

Definition at line 165 of file smack.h.

#define SMACK_CIPSO_MAXCATVAL   63 /* Bigger gets harder */

Definition at line 163 of file smack.h.

#define SMACK_CIPSO_MAXLEVEL   255 /* CIPSO 2.2 standard */

Definition at line 164 of file smack.h.

#define SMACK_CIPSO_OPTION   "-CIPSO"

Definition at line 136 of file smack.h.

#define SMACK_CIPSO_SOCKET   1

Definition at line 149 of file smack.h.

#define SMACK_MAGIC   0x43415d53 /* "SMAC" */

Definition at line 154 of file smack.h.

#define SMACK_UNLABELED_SOCKET   0

Definition at line 148 of file smack.h.

#define SMK_CIPSOLEN   24

Definition at line 38 of file smack.h.

#define SMK_FSDEFAULT   "smackfsdef="

Definition at line 131 of file smack.h.

#define SMK_FSFLOOR   "smackfsfloor="

Definition at line 132 of file smack.h.

#define SMK_FSHAT   "smackfshat="

Definition at line 133 of file smack.h.

#define SMK_FSROOT   "smackfsroot="

Definition at line 134 of file smack.h.

#define SMK_INODE_CHANGED   0x04 /* smack was transmuted */

Definition at line 74 of file smack.h.

#define SMK_INODE_INSTANT   0x01 /* inode is instantiated */

Definition at line 72 of file smack.h.

#define SMK_INODE_TRANSMUTE   0x02 /* directory is transmuting */

Definition at line 73 of file smack.h.

#define SMK_LABELLEN   24

Definition at line 28 of file smack.h.

#define SMK_LONGLABEL   256

Definition at line 29 of file smack.h.

#define SMK_NUM_ACCESS_TYPE   5

Definition at line 181 of file smack.h.

Function Documentation

struct inode_smack* new_inode_smack ( char smack)
read

new_inode_smack - allocate an inode security blob : a pointer to the Smack label to use in the blob

Returns the new blob or NULL if there's no memory available

Definition at line 84 of file smack_lsm.c.

char* smack_from_secid ( const u32  secid)

smack_from_secid - find the Smack label associated with a secid : an integer that might be associated with a Smack label

Returns a pointer to the appropriate Smack label if there is one, otherwise a pointer to the invalid Smack label.

Definition at line 517 of file smack_access.c.

void smack_log ( char subject_label,
char object_label,
int  request,
int  result,
struct smk_audit_info auditdata 
)

Definition at line 317 of file smack_access.c.

u32 smack_to_secid ( const char smack)

smack_to_secid - find the secid associated with a Smack label : the Smack label

Returns the appropriate secid if there is one, otherwise 0

Definition at line 544 of file smack_access.c.

int smk_access ( char subject_label,
char object_label,
int  request,
struct smk_audit_info a 
)

smk_access - determine if a subject has a specific access to an object : a pointer to the subject's Smack label : a pointer to the object's Smack label : the access requested, in "MAY" format : a pointer to the audit data

This function looks up the subject/object pair in the access rule list and returns 0 if the access is permitted, non zero otherwise.

Smack labels are shared on smack_list

Definition at line 118 of file smack_access.c.

int smk_access_entry ( char subject_label,
char object_label,
struct list_head rule_list 
)

smk_access_entry - look up matching access rule : a pointer to the subject's Smack label : a pointer to the object's Smack label : the list of rules to search

This function looks up the subject/object pair in the access rule list and returns the access mode. If no entry is found returns -ENOENT.

NOTE:

Earlier versions of this function allowed for labels that were not on the label list. This was done to allow for labels to come over the network that had never been seen before on this host. Unless the receiving socket has the star label this will always result in a failure check. The star labeled socket case is now handled in the networking hooks so there is no case where the label is not on the label list. Checking to see if the address of two labels is the same is now a reliable test.

Do the object check first because that is more likely to differ.

Definition at line 88 of file smack_access.c.

int smk_curacc ( char obj_label,
u32  mode,
struct smk_audit_info a 
)

smk_curacc - determine if current has a specific access to an object : a pointer to the object's Smack label : the access requested, in "MAY" format : common audit data

This function checks the current subject label/object label pair in the access rule list and returns 0 if the access is permitted, non zero otherwise. It allows that current may have the capability to override the rules.

Definition at line 198 of file smack_access.c.

struct smack_known* smk_find_entry ( const char string)
read

smk_find_entry - find a label on the list, return the list entry : a text string that might be a Smack label

Returns a pointer to the entry in the label list that matches the passed string.

Definition at line 332 of file smack_access.c.

char* smk_import ( const char string,
int  len 
)

smk_import - import a smack label : a text string that might be a Smack label : the maximum size, or zero if it is NULL terminated.

Returns a pointer to the label in the label list that matches the passed string, adding it if necessary.

Definition at line 497 of file smack_access.c.

struct smack_known* smk_import_entry ( const char string,
int  len 
)
read

smk_import_entry - import a label, return the list entry : a text string that might be a Smack label : the maximum size, or zero if it is NULL terminated.

Returns a pointer to the entry in the label list that matches the passed string, adding it if necessary.

Definition at line 428 of file smack_access.c.

int smk_netlbl_mls ( int  level,
char catset,
struct netlbl_lsm_secattr sap,
int  len 
)

smk_netlbl_mls - convert a catset to netlabel mls categories : the Smack categories : where to put the netlabel categories

Allocates and fills attr.mls Returns 0 on success, error code on failure.

Definition at line 391 of file smack_access.c.

char* smk_parse_smack ( const char string,
int  len 
)

smk_parse_smack - parse smack label from a text string : a text string that might contain a Smack label : the maximum size, or zero if it is NULL terminated.

Returns a pointer to the clean label, or NULL

Definition at line 351 of file smack_access.c.

Variable Documentation

int log_policy

Definition at line 61 of file smack_access.c.

int smack_cipso_direct

Definition at line 75 of file smackfs.c.

int smack_cipso_mapped

Definition at line 82 of file smackfs.c.

const char* smack_cipso_option

Definition at line 115 of file smackfs.c.

struct smack_known smack_known_floor

Definition at line 34 of file smack_access.c.

struct smack_known smack_known_hat

Definition at line 24 of file smack_access.c.

struct smack_known smack_known_huh

Definition at line 19 of file smack_access.c.

struct smack_known smack_known_invalid

Definition at line 39 of file smack_access.c.

struct list_head smack_known_list
struct mutex smack_known_lock
struct smack_known smack_known_star

Definition at line 29 of file smack_access.c.

struct smack_known smack_known_web

Definition at line 44 of file smack_access.c.

char* smack_net_ambient

Definition at line 68 of file smackfs.c.

char* smack_onlycap

Definition at line 92 of file smackfs.c.

struct security_operations smack_ops

Definition at line 3401 of file smack_lsm.c.

struct list_head smk_netlbladdr_list